Marketing Consent vs HIPAA Consent: Don't Mix Them (Simply Explained)

Two Numbers That Should Scare Any Health Brand

$1.5 million and $7.8 million.

Those are two real fines that hit two well-known health companies. One was a prescription-discount company. The other was an online therapy platform. Both fines are public record.

Here's the part that matters: neither was a hack. Nobody broke in. No database got stolen. These were normal-looking marketing setups that any growth team would build.

Someone wanted to run Facebook ads. Someone wanted to measure which ads worked. So they added the standard tracking tools and called it marketing.

The problem was what flowed through those tools. Private health information (diagnoses, prescriptions, the stuff a patient tells you in confidence) ended up inside an ad platform. The legal problem in both cases was the same: the company treated permission for one thing as permission for everything.

If you run a telehealth, longevity, or any health-adjacent brand, the real question is simple. Are you one checkbox away from a six-figure fine?

Let me be honest. The fix here is not exciting. It's structural and a little boring. But it's the kind of thing that looks like overkill right up until a regulator asks you to prove something you can't prove.

Marketing Permission and Medical Permission Are Two Different Things

Most founders think these two permissions sit on a sliding scale. Marketing permission is the casual one. Medical permission is the serious one. And if you've got the serious one, you've covered the casual one too.

That's exactly the thinking that lands brands in trouble.

These aren't a lighter and heavier version of the same thing. They're two completely different agreements, governed by two completely different sets of laws.

Marketing permission is when someone says "yes, send me your emails." It covers promotional messages and texts. The person can cancel it anytime, for any reason. And it should never, ever touch private health information.

Texting has its own strict rules. You cannot bundle "text me" into a general "keep me updated" box. The law expects a separate, clear yes for texts, and you have to save the exact words the person agreed to at that moment.

Medical permission is a totally different document. It's tied to a patient's medical record. It lets a doctor treat them, bill them, and message them about their care. It doesn't disappear because someone got annoyed by a marketing email.

Here's the key point. These two permissions live in different legal homes, get canceled in different ways, and cover different information. Unsubscribing from marketing and withdrawing medical permission are not the same action and should never trigger each other.

The moment you treat them as one, you've built a single weak point across two sets of laws.

The Three Mistakes That Create the Risk

In my experience, the damage almost always comes from one of three quiet shortcuts. Each one feels convenient. Each one is a fine waiting to happen.

Mistake one: bundling texts with emails. You've seen the checkbox: "Sign me up for emails and texts." That's a legal problem. Texting needs its own separate yes. When you bundle them, someone who only wanted emails is now legally considered to have never properly agreed to texts. The fines run per message, so the math gets ugly fast.

Mistake two: letting medical info leak into your marketing. This is what built those public fines. A diagnosis or prescription, or even the fact that someone searched for a specific condition, ends up inside an advertising audience. The tracking tool didn't know the difference between a marketing event and a medical one. Nobody told it.

Mistake three: treating a patient as an automatic marketing subscriber. You turn a lead into a patient, and your system quietly adds them to your promo list. Now their patient relationship is being used as marketing permission they never gave. Or the reverse: someone unsubscribes from your marketing, and that also kills their appointment reminders. Now a marketing action is disrupting their actual care.

None of these were malicious. They're just defaults someone picked because they were easy. All of them are cracks in the foundation.

The Fix Is a Consent Ledger, Not a Better Checkbox

The solution isn't a fancier checkbox. It's a consent ledger. Think of it like a permanent logbook that records every single permission a person ever gives you, separately, with the exact details.

Here's how I'd build it.

Every permission is its own entry. Text permission gets its own box, unchecked by default, with the exact words the person agreed to saved word-for-word. Never bundled. Never assumed.

Medical permission lives in a completely separate system, tied to the patient record.

Then I'd set up a one-way street for information. Basic info (name, email, phone) can flow from marketing into the medical side when a lead becomes a patient. That makes sense. You need to know who your patient is.

But medical information never flows back. Not the diagnosis. Not the prescription. Not the appointment type. The pipe runs one direction only, and the dangerous direction is closed off by design, not by a policy memo someone might forget.

And the two permissions cancel separately. Becoming a patient doesn't auto-subscribe anyone to marketing. Unsubscribing from marketing doesn't stop care messages. Withdrawing medical permission doesn't touch the marketing list.

This is deliberately boring. It doesn't look impressive in a meeting. But it's the difference between "we can prove these are kept separate" and "we hope nobody asks."

What a Good Record Actually Looks Like

When a regulator asks you to prove someone agreed to texts, "we have it somewhere" is not an answer. Each entry in your logbook needs to capture:

• Who the person is
• What they agreed to (email, text, or medical)
• The exact words they saw, saved word-for-word
• The date and time, down to the second
• Where they agreed (which page, which form)
• How they agreed (a checkbox, a signature, a verbal yes you logged)
• A record that can never be edited after the fact

That last one matters. You never erase an entry. If someone changes their mind, you add a new entry. The history stays intact.

Here's the test it has to pass. A regulator says, "Prove this person agreed to texts on this date." You should be able to show the exact words, the timestamp, and how they agreed, in seconds.

Most fast-built signup forms can't do this. They just store a single yes-or-no flag. When an audit hits, that flag proves nothing about what the person actually agreed to. That's exactly where companies bleed.

How I'd Test Your Setup in 30 Minutes

If you handed me your signup flow today, I could find your risk fast with six questions.

Does your text opt-in have its own checkbox, separate from email? Is it unchecked by default? Do you save the exact words people see when they opt in? Does turning a lead into a patient auto-subscribe them to anything? Can a diagnosis or prescription reach an ad platform? Does a marketing unsubscribe affect appointment reminders?

A wrong answer to any of those is the same structural flaw behind those public fines. Not a similar flaw. The same one.

Here's the good news. You're probably not one pixel away from a fine by accident. But you might be one default away. And the fix is design work, not a lawsuit. It's a consent logbook, separate systems, and a one-way street for information. It's boring, it's buildable, and it's a lot cheaper than $7.8 million.

I build this separation correctly the first time, baked in from the start, instead of bolted on after a regulator comes knocking.

Ready to bring AI leadership into your company?

I work with a small number of companies at a time. If you're serious about AI, apply to work together and I'll review your application personally.

Apply to Work Together